Security Basics mailing list archives
RE: ADS Password Storage Protection
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Fri, 21 Jul 2006 12:45:43 -0400
If passphrase cracking is so easy, you should have no problem cracking my three challenges. They are significantly shorter than The Cat in the Hat is Back with no or little complexity. The prize awaits you. Everyone keeps saying how easy it is to break english word passphrases, but so far no one has cracked my simple 15-character passphrase. #2 is easy with no complexity. Roger -----Original Message----- From: Stephen John Smoogen [mailto:smooge () gmail com] Sent: Wednesday, July 19, 2006 12:41 PM Cc: security-basics () securityfocus com Subject: Re: ADS Password Storage Protection On 7/18/06, Depp, Dennis M. <deppdm () ornl gov> wrote:
Do you audit for attempts using brute force to guess passwords? What you are describing is a brute force password attempt using well known pass phrases. A better pass phase might be something personal like. "I have three children and a beautiful wife who stands 5' 7"." This will be difficult to guess and will not be found in Bartlett's Book of
Quotations.
in the end, it comes down to what you are trying to protect and how much you are going to protect it. Having done a lot of brute-force password checking with phrases and such.. it was pretty quick (I think about 48 hours) to find "The Cat in the Hat is Back" through a long list of various phrases and words. However all it took was to misspell Hat as Hta and it was functionally longer than I wanted to wait for the secondary dictionary attacks (misspellings, changing e->3, etc) could find it. I would say that having a phrase+complexity test is a good advice. The complexity test can be the addition of numbers, special characters etc that are not at the beginning and end of the phrase and there are several 'modules' prewritten for many password programs to test for this. However, my main advice is for a site that is looking for better security to use a one time passwords, lockouts, and end-to-end authentication. A one time password system usually requires some sort of 'two-factor' device (secureid, cryptocard, etc) and helps make it that the password is not guessable. -- Stephen J Smoogen. CSIRT/Linux System Administrator ------------------------------------------------------------------------ --- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: ADS Password Storage Protection, (continued)
- RE: ADS Password Storage Protection rolando_ruiz (Jul 27)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 31)
- RE: ADS Password Storage Protection rolando_ruiz (Jul 27)
- Re: ADS Password Storage Protection Neil (Jul 17)
- Re: ADS Password Storage Protection Eoin Miller (Jul 17)
- Re: RE: ADS Password Storage Protection winshel (Jul 17)
- Re: ADS Password Storage Protection ab (Jul 17)
- RE: ADS Password Storage Protection Depp, Dennis M. (Jul 18)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 18)
- RE: ADS Password Storage Protection Depp, Dennis M. (Jul 18)
- Re: ADS Password Storage Protection Stephen John Smoogen (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 19)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 24)
- RE: ADS Password Storage Protection Pranav Lal (Jul 24)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 24)